Domain-Name-System
託管域的 dnssec-signzone 錯誤“不在區域頂部”
$TTL 86400 $ORIGIN yoda.domain2.com. @ 1D IN SOA yoda.domain2.com. admin.domain.com. ( 2015021601 ; Serial yyyymmddnn 3h ; Refresh After 3 hours 1h ; Retry Retry after 1 hour 1w ; Expire after 1 week 1w 1h) ; Minimum negative caching of 1 hour IN NS yoda.domain2.com. IN NS r2d2.domain2.com. domain.com. IN TXT v=spf1 mx a:r2d2.domain2.com ~all domain.com. MX 0 r2d2.domain2.com. domain.com. IN A 108.61.175.20 www.domain.com. IN A 108.61.175.20 mail.domain.com. IN A 107.191.60.48 imap.domain.com. IN A 107.191.60.48 pop.domain.com. IN A 107.191.60.48 smtp.domain.com. IN A 107.191.60.48 yoda.domain.com. IN A 108.61.190.64 r2d2.domain.com. IN A 107.191.60.48 vader.domain.com IN A 108.61.175.20 r2d2.domain.com. IN AAAA 2001:19f0:7000:8945::64 yoda.domain.com. IN AAAA 2001:19f0:6c00:8141::64 $include /usr/local/etc/namedb/Kdomain.com.zsk.key ; ZSK $include /usr/local/etc/namedb/Kdomain.com.ksk.key ; KSK
SOA
記錄在(yoda.ex-mailer.com
重新$ORIGIN yoda.ex-mailer.com.
定義原點)。但是,區域文件的其餘部分似乎包含
nyctelecomm.com.
記錄。此外,您將初始原點指定為dnssec-signzone
asnyctelecomm.com
。這似乎是一種不匹配,會導致這種錯誤。(
SOA
和NS
記錄應該在區域頂點。)雖然這個區域文件的問題本質上與 DNSSEC 無關,但您可能希望
auto-dnssec maintain
研究現代 BIND 版本的功能,作為手動簽名的替代方法dnssec-signzone
。